Craft Aid International Data Protection Policy

Table of Contents
Craft Aid International Data Protection Policy....................................................................................................1
Definitions.....................................................................................................................................................2
1. Introduction..............................................................................................................................................3
2. Purpose of this Policy................................................................................................................................3
3. To Whom the Policy Applies.....................................................................................................................3
4. Policy........................................................................................................................................................3
5. GDPR Policy Principles..............................................................................................................................4
5.1 Data Collection & Usage....................................................................................................................5
5.2 Data Quality.......................................................................................................................................7
5.3 Individual’s rights................................................................................................................................8
5.4 Data Security, Storage and Destruction............................................................................................10
5.5 Staff data held by CAI........................................................................................................................12
5.6 External requests for data access.....................................................................................................13
6. General staff guidelines on working practices to support the policy and principles ..............................15
7. Responsibilities ......................................................................................................................................16
Appendix 1: Accountability and Governance...............................................................................................17
Appendix 2: Registration with ICO and Data Protection Fee........................................................................18

Version: 0.1 draft Page 1 387950127.doc

Definitions
Data Controller: The organisation that determines the scope and purpose of data to be collected, and the
means of collection.
Data Processing: Any activity involving personal data is included in GDPR, including collection, storage
retrieval, organisation and filing, use, replication, dissemination, destruction or deletion. This therefore
applies to both paper-based and automated systems.
Data Processor: An organisation that processes data on behalf of a Data Controller.
Data Protection Impact Assessment (DPIA): a process to identify and minimise the data protection risks.
GDPR requires organisations to do a DPIA for any data processing likely to result in a high risk to individuals.
This includes some specified types of processing. DPIA replaces the Privacy Impact Assessment (PIA)
required in the Data Protection Act. For details of DPIAs, see: https://ico.org.uk/for-organisations/guide-to-
the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-
assessments/
ICO: Information Commissioner’s Office. It is the UK's independent body set up to uphold information rights,
including responsibility for the enforcement of the Data Protection Act 1998, and the General Data
Protection Regulation 2016.
Participant(s): Any individual - usually a person with disability - attending CAI craft sessions and/or
workshops run by Craft Aid International.
Personal Data: Information relating to an identifiable person who can be directly or indirectly identified by
an identifier. This therefore includes name, address, email address, telephone and mobile numbers,
identifier numbers, location data, bank account details,
Pseudonymisation: Processing data in such a way that it can no longer identify an individual without
additional information.
Staff: Any person paid or unpaid who might be in a position of trust on behalf of Craft Aid International
including director, trustees, employees, session leaders, support workers, employees, volunteers, contractors
providing services.
Stakeholder: Participants, staff, support workers, donors, supporters, customers, statutory organisations

Document history:
Version Date Author Reviewer Summary of Changes Issue Date
0.1 15/05/18 E Waters S Hart First draft 18/05/18

]Version: 0.1 draft Page 2 [387950127.doc]

[
1. Introduction
The Data Protection Act 1998 (hereafter referred to as DPA), superseded by the European Union General
Data Protection Regulation 2016 (hereafter referred to as GDPR), which applies throughout all EU member
states from 25 May 2018, were both introduced to ensure that organisations keep personal data secure,
regardless of whether data is stored electronically or on paper or other materials, and use it only for the
purposes for which it was given. Individuals enjoy a number of rights regarding the way their personal
information is handled, and all organisations must ensure those processing personal data on their behalf
understand what they need to do and have access to appropriate support and advice.

2. Purpose of this Policy

To set out how Craft Aid International (hereafter referred to as CAI) will operate to ensure privacy and
protection of personal data, and:
 comply with DPA up to May 25 2018, and GDPR thereafter, which set out the law regarding the
processing of personal data
 follow good practice
 protect the rights of staff, participants, customers, partners and stakeholders
 be open about how CAI stores and processes individuals’ data
 protect CAI from the risks of a data breach
It should be read in conjunction with the CAI Confidentiality Policy which defines the overall approach to
information confidentiality within CAI.

3. To Whom the Policy Applies

The Policy applies to all CAI Staff, including contractors providing services to CAI, and people or organisations
working on behalf of CAI.
CAI requires all Staff to comply with this Policy. Failure to do so will be regarded as serious misconduct and
will be dealt with in accordance with CAI’s disciplinary policy and procedure.

4. Policy
This CAI Data Protection Policy:-
 accepts that by the nature of its work, CAI processes data which is of a sensitive and personal nature
 clarifies CAI’s expectations of Staff with regard to the processing of personal data, (personal data
means information that relates to a living individual who can be identified from the information: it
also includes expressions of opinion and intention)
 gives specific details about the type of information that CAI keeps about its Staff and Stakeholders
and the purposes for which it keeps them
 sets out the duration for which data is retained by CAI
 sets out security measures which Staff must observe to protect data within CAI.
In developing this policy:-
1) In accordance with the GDPR, the Trustees will appoint a Data Protection Officer, a named individual
reporting to the Trustees with day-to-day responsibility for ensuring and demonstrating compliance
with the GDPR; see section 'Responsibilities' defining the specific responsibilities of the Trustees and
the Data Protection Officer.
2) CAI must perform and document a Data Protection Impact Assessment (DPIA), and periodically
thereafter, and whenever there is a change in CAI's activities, way of working, or technology usage.

Version: 0.1 draft Page 3 387950127.doc

5. GDPR Policy Principles
The GDPR requires organisations to manage data according to 6 principles. Personal data must be:
1. processed lawfully (see GDPR requirements for lawful processing below), fairly and in a transparent
manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is
incompatible with those purposes (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purposes for which they are processed, are
erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures (‘integrity and confidentiality’).

GDPR Article 6 states processing shall be lawful only if and to the extent that at least one of the following
applies:
1. The data subject has given consent to the processing of his or her personal data for one or more
specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party, or in
order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural
person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data
subject is a child.

CAI's Data Protection Policy is designed to comply with these 6 GDPR principles and the requirements of
lawful processing in the following 6 areas:
1. Data collection and usage
2. Data quality
3. Individuals’ rights
4. Data security, storage, destruction and retention
5. Staff data held by CAI
6. External requests for data access
These areas are covered in detail in the following pages.

]Version: 0.1 draft Page 4 [387950127.doc]

[
5.1 Data Collection & Usage
Data shall be:
Processed lawfully (see previous section) and accurately, and processed only for specified and
compatible purposes.
Whenever CAI collects personal data, (e.g. in induction packs; in staff contracts; when participants fill
in forms to join a craft session; volunteers complete an application form; donors provide their
contact details), it must be fully transparent and include a Privacy Notice.
A Privacy Notice is a public statement of how CAI applies data protection principles to processing
data. It should be a clear and concise document that is accessible by individuals, and must be:
▪ concise, transparent, intelligible and easily accessible;
▪ written in clear and plain language, that can be easily understood by the recipient; and
▪ free of charge.

The Privacy Notice should address the following to inform the data subject:
▪ who is collecting the data
▪ what data is being collected
▪ the legal basis for processing the data
▪ whether the data be shared with any third parties
▪ how the information be processed
▪ how long the data will be stored
▪ the rights of the data subject (see section 3 below: “Individual’s rights”)
▪ how the data subject can raise a complaint, and to whom (e.g. the Data Protection Officer)
▪ request consent to process the personal data, and requesting explicit consent for Sensitive
Personal Data (see next paragraph);
▪ if applicable, to allow the recipient to opt out of future marketing literature and
communications

5.1.2 Sensitive Personal Data

Certain data is considered to be sensitive, and special rules apply to it. The categories of Sensitive
Personal Data were originally defined by the DPA as:
▪ racial or ethnic origin;
▪ political opinion;
▪ religious or philosophical beliefs;
▪ trade union membership;
▪ physical and mental health;
▪ sexual life;
▪ the commission or alleged commission of any offence; and
▪ any proceedings for any offence committed or alleged to have been committed, the disposal
of such proceedings or the sentence of any court in such proceedings.
To these, the GDPR has added the following:
▪ genetic data;
Version: 0.1 draft Page 5 387950127.doc
 ▪ biometric data;
▪ health data;
▪ sexual orientation.
Sensitive Personal Data should be held separately from other personal data, preferably in a locked
drawer or filing cabinet. As with personal data generally, if in electronic format, it should only be kept
on laptops or portable devices if the file has been encrypted and/or pseudonymised.
Given the purpose of CAI, participant and staff application forms may include some of these types of
data. To process any Sensitive Personal Data CAI must have explicit consent, over and above the
general consent that applies to other personal data. CAI must be absolutely clear about how the
information will be used and ensure that the individual understands what they are consenting to.

]Version: 0.1 draft Page 6 [387950127.doc]

[
5.2 Data Quality
This covers three principles. Data must be:

5.2.1 Accurate and up to date

CAI must ensure its data is accurate and up to date. In order to comply:
▪ Staff members should inform CAI whenever their personal information changes
▪ there should be periodic reviews to check that participant and staff personal data is up-to-
date
▪ for other types of data, where practical, periodic reviews should be carried out to identify
any mistakes and, where possible, correct them. If not possible to correct, inaccurate
records must be removed.

5.2.2 Relevant and not excessive

CAI only collects personal data that is relevant to its purpose. If it isn't needed, don’t record it.
Opinions as well as facts are covered by the DPA. Care should be taken by all Staff to record facts and
not opinion. Remember, data subjects can ask to see the information held about them.

5.2.3 Keeping information no longer than necessary

Under the GDPR, personal data should not be retained for any longer than necessary. Minimising
data retention and having clear procedures in place to determine how and when to dispose of
personal data is key to complying with the GDPR. Information (whether paper or computerised) no
longer required should be destroyed in accordance with the following retention guidelines:
Data Type Retention period

Statutory financial documents 6 years

Banking records 6 years

Fundraising bids 6 years

8 years (NB. some public sector contracts

Public Sector funding bids require retention for longer periods, including
employment records related to the contract)

Operational records 6 years

Participant records 6 years after attendance ceases

Employee records 6 years

Volunteer records 6 years

Staff DBS check forms Part B & C 6 months

Unsuccessful Employment or Volunteer applications 6 months

Stakeholder (e.g. Funders, Statutory organisations,

6 years
donors) records

Version: 0.1 draft Page 7 387950127.doc

5.3 Individual’s rights
Data shall be processed in accordance with the rights of the individual whose personal information is
being processed. The GDPR provides the following 8 rights for individuals:

5.3.1 The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a
key transparency requirement under the GDPR.
CAI must provide individuals with information including: the purposes for processing their personal
data, the retention periods for that personal data, and who it will be shared with, (called ‘privacy
information’), and the details of transfers of the personal data to any third countries or international
organisations (where applicable). CAI must provide a privacy notice to individuals at the time their
personal data is collected.
If personal data is obtained from other sources, CAI must provide individuals with privacy
information within a reasonable period of obtaining the data and no later than one month.
Privacy information must be concise, transparent, intelligible, easily accessible, and it must use clear
and plain language.
CAI must bring any new uses of an individual’s personal data to their attention before you start the
processing.

5.3.2 The right of access

At any time, anyone can request to see the personal data CAI holds about them (a subject access
request). This information may be held on computer, archives, e-mails, or in paper-based files. The
request may be verbal or in writing, and CAI must respond within 1 month. No charge can be made
for providing the data. The request should be forwarded to the Data Protection Officer, who is
responsible for dealing with such requests.

5.3.3 The right to rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it
is incomplete. An individual can make a request for rectification verbally or in writing, and CAI have
one calendar month to respond.
In certain circumstances CAI can refuse a request for rectification, e.g. if the request is manifestly
unfounded.
This right is closely linked to the data controller’s obligations under the accuracy principle of the
GDPR .

5.3.4 The right to erasure

The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also
known as ‘the right to be forgotten’. So, for example, if an individual gave their permission for their
data to be held, and then changes their mind, their data should be deleted if requested. Individuals
can make a request for erasure verbally or in writing, and CAI has one month to respond to a
request.
The right is not absolute and only applies in certain circumstances. It does not apply if the data is
held to comply with a legal obligation, and other circumstances specified in the GDPR.

]Version: 0.1 draft Page 8 [387950127.doc]

[
 5.3.5 The right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data. This is not
an absolute right and only applies in certain circumstances. When processing is restricted, CAI is
permitted to store the personal data, but not use it. An individual can make a request for restriction
verbally or in writing, and CAI has one calendar month to respond to a request.

5.3.6 The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own
purposes across different services. It allows them to move, copy or transfer personal data easily
from one IT environment to another in a safe and secure way, without affecting its usability. Doing
this enables individuals to take advantage of applications and services that can use this data to find
them a better deal or help them understand their spending habits.
The right only applies to information an individual has provided to a data controller, and only applies
to data processed by automated means i.e. not to paper files.

5.3.7 The right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain
circumstances. Individuals have an absolute right to stop their data being used for direct marketing.
In other cases where the right to object applies you may be able to continue processing if you can
show that you have a compelling reason for doing so.
CAI must tell individuals about their right to object. An individual can make an objection verbally or
in writing, and CAI must respond within one calendar month.

5.3.8 Rights in relation to automated decision making and profiling

The GDPR has provisions on automated individual decision-making (making a decision solely by
automated means without any human involvement); and profiling (automated processing of
personal data to evaluate certain things about an individual). Profiling can be part of an automated
decision-making process. The GDPR applies to all automated individual decision-making and
profiling. CAI does not use automated decision-making or profiling, but if this was to change in the
future, this section of the CAI Data Protection Policy document would need to be further expanded .

Version: 0.1 draft Page 9 387950127.doc

5.4 Data Security, Storage and Destruction
This covers the final principle, that data shall be kept secure.
The overall design intent is to create a robust operating environment which is secure, enables
privacy, transparency and oversight.
These operational processes apply equally to both paper-based and electronic record keeping
systems, holding Participant records, Staff records, and Stakeholder information:-
▪ paper-based files, held securely within the office; and
▪ electronic, or on-line data processing tools, with access to authorized users only.
Manual records are those containing information about Applicants, Participants and Staff that are
not held on computer.
▪ These files do fall within the regulations of the DPA, as they are considered relevant filing
systems.
▪ Relevant filing systems are defined as “any set of information relating to individuals to the
extent that... the set is structured, either by reference to individuals or by reference to
criteria relating to individuals, in such a way that specific information relating to an individual
is readily accessible”.
▪ When not required, all manual records of personal data must be kept in locked drawers or
filing cabinets.
▪ Employees should make sure paper and printouts are not left where unauthorised people
could see them, like on a printer.
▪ Copies and data printouts should be shredded and disposed of securely when no longer
required.
▪ Files should never be left in unattended vehicles.
Computer systems and records: It is CAI's policy that all computers have password-protected screen-
savers and these are kept enabled. This also includes volunteers’ equipment used for CAI's business
and which contains data given to CAI.
▪ It is the staff member’s responsibility to safeguard information held on personal computers
in the same way as paper files held at home. Such information must be transferred to CAI's
equipment at the earliest opportunity and deleted from personal equipment.
▪ Any request for data to be emailed must first be appropriately authenticated. Data must not
be sent without verification of who is requesting the data and the purpose for which it will
be used.
▪ Emailing personal data should be an exception and wherever possible a secure e-mail service
must be used.
▪ Personal data sent by e-mail to external addresses that would cause distress, loss or
embarrassment if mislaid, wrongly directed or compromised is to be password-
protected/encrypted or a secure e-mail service should be used.
▪ Data should be protected by strong passwords that are changed regularly and never shared
between employees.
▪ If data is stored on removable media (like a CD or DVD), these should be kept locked away
securely when not being used.
▪ Data should only be stored on designated drives and servers, and should only be uploaded to
an approved cloud computing services.

]Version: 0.1 draft Page 10 [387950127.doc]

[
 ▪ Servers containing personal data should [ideally] be sited in a secure location, away from
general office space.
▪ Data should be backed up frequently. Those backups should be tested regularly, in line with
CAI’s standard backup procedures.
▪ Data should never be saved to laptops or other mobile devices like tablets or smart phones.
▪ All servers and computers containing data should be protected by approved security
software and a firewall.

Version: 0.1 draft Page 11 387950127.doc

5.5 Staff data held by CAI
The GDPR regulates the way in which certain information about Staff is held and used. This section
gives details about the type of information that CAI keeps about its Staff and the purposes for which
it keeps them. The security and storage of data has been covered previously.
Throughout the period of time as a member of Staff and for as long a period as is necessary after
ceasing to be a member of Staff, CAI will need to keep information for purposes connected with
being a member of Staff. These records may include:
▪ Information gathered about a Staff member and any references obtained during recruitment
▪ Volunteering Agreement / Contract of Employment / Contract for Services (as applicable)
▪ Confidentiality Agreement
▪ Payroll, tax and National Insurance information (if applicable)
▪ Performance information
▪ Details of grade and job duties
▪ Health records
▪ Absence records, including holiday records and self-certification forms
▪ Details of any disciplinary investigations and proceedings
▪ Induction record
▪ Training records
▪ Emergency contact details
▪ Correspondence with CAI.
The information will normally be held for CAI management and administrative use only, but from
time to time, we may need to disclose some information we hold about Staff to relevant third
parties. We may also transfer information to another Group or Organisation, solely for purposes
connected with a Staff member’s career or the management of CAI’s business. This must be
explained when the data is being collected (see 'privacy information' in 'The right to be informed'
above), and therefore agreed by the data subject.
It should also be noted that CAI might hold the following information about a member of Staff for
which disclosure to any person will be made only when strictly necessary for the purposes set out
below:
▪ a member of staff’s health, for the purposes of compliance with our health and safety and
our occupational health obligations;
▪ for the purposes of HR management and administration, for example to consider how a
member of Staff’s health affects his or her ability to do their job or workshop activity and, if
the Staff member is disabled, whether they require any reasonable adjustment to be made
to assist them at work, or participating in any workshop or craft session;
▪ the administration of insurance, pension, sick pay and any other related benefits;
▪ in connection with unspent convictions to enable us to assess suitability to be a member of
Staff.
CAI may also receive requests for disclosure of information from other organisations, these are
covered in the next section.

]Version: 0.1 draft Page 12 [387950127.doc]

[
5.6 External requests for data access
CAI may be contacted by third parties in order to access Participant or Staff records. All requests
must be forwarded to the Data Protection Officer for action.

The Police
If data is requested by the police, it must be confirmed that the reason for the request is that they
wish to contact a named individual about a named criminal investigation (regardless of whether that
individual is a suspect or witness) and that failure to release the data would prejudice the
investigation. Most police forces will have their own request form which should always include a
statement confirming that the information requested is used for the purposes covered in Section 29
of the DPA, a brief outline of the nature of the investigation, the person’s role in that investigation,
and the signature of the investigating officer. This document must be obtained prior to the release
of any information.

Court Order
CAI may receive a request for disclosure in the form of a Court Order.

Other third parties

If CAI is approached with a request for information about a member of staff from any other third
party the following approach should be taken.
CAI will supply the member of Staff with all the necessary information so that the member of Staff
can make an informed decision as to whether they are willing to let the information be released.
Written consent from the member of Staff is required before the information can be released. A
record must be kept of who made the request, what information was requested and why. There are
instances where CAI can proceed without consent and it approaches these requests on a case by
case basis.

Research purposes
Occasionally a company or a funder will wish to use CAI's data for research purposes. If Participants
and other members of staff have given consent for the use of their data for research purposes
through a Privacy Notice, usually data can be released. However, this is not always the case and
advice should be sought before data is actually released.

Sharing information
Data can only be shared with the individual’s consent. However, there are exceptional circumstances
where it may be necessary to share information without consent. Examples of these circumstances
are where it is not possible to obtain consent beforehand or because it might prejudice the purposes
for which the information is being disclosed.
Examples are as follows:
 the individual is at risk of harm, needs urgent medical treatment, or may harm someone
else;
 the disclosure prevents an individual committing a criminal offence that could put others
at risk or place a member of Staff or any other person at risk of accusations of collusion;
 if CAI is ordered to provide information as part of legal proceedings;
 to protect children, young people or vulnerable adults from abuse.
N.B. this is not an exhaustive list so if in doubt please contact the Data Protection Officer. CAI will
consider every request on a case by case basis.

Version: 0.1 draft Page 13 387950127.doc

 Collecting data or buying from third parties
This refers to situations where CAI could, for example, buy-in mailing lists. Confirmation should be
obtained that the party providing the information has the consent of the individual to whom the
information relates and a request for sight of the Privacy Notice. If this confirmation cannot be
obtained the data must not be collected.
CAI does not sell its data. If, in future, CAI intended to share any personal data with other
organisations, the Privacy Notice must make this clear, and the data subject must consent to it.

]Version: 0.1 draft Page 14 [387950127.doc]

[
6. General staff guidelines on working practices to support the policy and principles
▪ The only people able to access data covered by this policy should be those who need it for
their work.
▪ Data should not be shared informally. When access to personal data is required, employees
must request it from their line managers.
▪ CAI will provide training to all employees to help them understand their responsibilities
when handling data.
▪ Employees should keep all data secure, in accordance with CAI policy .
▪ Strong passwords must be used and they should never be shared.
▪ Personal data should not be disclosed to unauthorised people, either within the company or
externally.
▪ Data should be regularly reviewed and updated if it is found to be out of date. If no longer
required, it should be deleted and disposed of.
▪ Employees should request help from their line manager or the Data Protection Officer if they
are unsure about any aspect of data protection.

Version: 0.1 draft Page 15 387950127.doc

7. Responsibilities
Everyone who works for, or with, CAI has some responsibility for ensuring data is collected, stored,
handled and processed must comply this data protection policy and GDPR data protection principles.
However, the following have key areas of responsibility :
The Trustees are ultimately collectively responsible for ensuring data security and data privacy
compliance with the GDPR, and one named Trustee will have specific responsibility to oversee this.
As CAI carries out its own DBS checks, the Trustees must appoint a Data Protection Officer, a named
individual reporting to the Board with responsibility for ensuring and demonstrating compliance with
the GDPR. It is the Trustee’s responsibility to ensure comprehensive but proportionate governance
measures, such as carrying out a DPIA every 2 years and designing data privacy and protection into
its processing activities.
The Trustees should confirm annually that CAI meets the criteria for exemption from ICO registration
and payment of the annual Data Protection Fee (see Appendix 2).
The Data Protection Officer is responsible for:
▪ keeping the Trustees updated about data protection responsibilities, risks and issues;
▪ reviewing data protection procedures and related policies, in line with an agreed schedule;
▪ arranging data protection training and advice for the people covered by this policy;
▪ handling data protection questions from staff and anyone else covered by this policy;
▪ addressing external data protection queries (e.g. from journalists or media outlets);
▪ dealing with subject access requests from individuals to see the data CAI holds about them ,
and any other request covered by the individual's rights relating to the data held on them;
▪ checking and approving contracts or agreements with third parties that may handle the
company’s personal data;
▪ ensuring all systems, services and equipment used for storing data meet the required
security standards;
▪ carrying out DPIAs periodically and when changes are made to systems or activities;
▪ document records of data processing activities (see Appendix 1)
▪ performing regular checks and scans to ensure security hardware and software is functioning
properly;
▪ ensuring any third-party services CAI uses to store or process data, e.g. payroll, complies with
the GDPR
▪ approving any data protection statements attached to communications such as emails and
letters;
▪ ensure marketing initiatives abide by data protection principles.
Data Controllers and Data Processors
The GDPR applies to ‘data controllers’ and ‘data processors’ (see definitions). If CAI, as data
controller, uses other organisations to process data (e.g. payroll) on its behalf, the GDPR places
specific legal obligations on the data processor e.g. to maintain records of personal data and
processing activities. However, CAI, as data controller, is responsible to ensure any contract with a
data processor complies with the GDPR.

]Version: 0.1 draft Page 16 [387950127.doc]

[
Appendix 1: Accountability and Governance
The GDPR includes provisions that promote accountability and governance which complement the GDPR’s
transparency requirements. While the principles of accountability and transparency have previously been
implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
Organisations are expected to put into place comprehensive but proportionate governance measures such as
DPIAs and data privacy by design (see below).

The accountability principle

The new accountability principle requires organisations to demonstrate they comply with the principles, and
states explicitly that this is their responsibility.
To demonstrate that you comply you must:
1) Implement appropriate technical and organisational measures that ensure compliance. This may
include internal data protection policies such as staff training, internal audit of processing activities,
and reviews of internal HR policies.
2) Maintain relevant documentation on processing activities (see below).
3) Where appropriate, appoint a Data Protection Officer.
4) Implement measures that meet the principles of data protection by design and data protection by
default. Measures could include: data minimisation, pseudonymisation, transparency, allowing
individuals to monitor processing, creating and improving security features on an ongoing basis, and
using DPIAs when appropriate.

Records of processing activities

Article 30 requires organisations to document their data processing activities. CAI, as a smaller organisation
with less than 250 employees, is only required to maintain records of activities related to higher risk
processing such as:-
 Processing personal data that could result in a risk to the rights and freedoms of individual; or
 Processing of special categories of data or criminal convictions and offences.
However, for the purposes of good governance and accountability, the Trustees recommend CAI should
subsequently document all data processing activities as soon as is practical. See https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/what-do-we-need-to-
document-under-article-30-of-the-gdpr/
Internal records of processing activities must record the following information:-
 Purposes of the processing.
 Description of the categories of individuals and categories of personal data.
 Categories of recipients of personal data.
 Details of transfers to third countries including documentation of the transfer mechanism safeguards
in place.
 Retention schedules.
 Description of technical and organisational security measures.

Version: 0.1 draft Page 17 387950127.doc

Appendix 2: Registration with ICO and Data Protection Fee
Organisations are required to register with ICO and pay an annual Data Protection Fee, unless otherwise
exempted.
CAI is exempt from registration and fee, as it currently meets the following conditions (see:
https://ico.org.uk/for-organisations/register/faqs):
“You do not have to register if organisation was established for not-for-profit making purposes and
does not make a profit or if your organisation makes a profit for its own purposes, as long as the
profit is not used to enrich others. You must:
 only process information necessary to establish or maintain membership or support;
 only process information necessary to provide or administer activities for people who are
members of the organisation or have regular contact with it;
 only share the information with people and organisations necessary to carry out the
organisation’s activities. Important - if individuals give you permission to share their
information, this is OK (you can still answer ‘yes’); and
 only keep the information while the individual is a member or supporter or as long as
necessary for member/supporter administration.”
If at any stage in the future CAI should no longer meet the conditions of these exemptions, then it must
register and pay the appropriate annual fee. Failure to do so will result in a Civil Monetary Penalty. The
Trustees should therefore review annually whether CAI still qualifies for exemption.

]Version: 0.1 draft Page 18 [387950127.doc]

[